2018-02-16 Emotet Maldoc

Here is a quick writeup for another Emotet maldoc that I saw. Unfortunately I did not get a copy of the email but it did have a link in it which lead to the maldoc. There were two things in this sample that I saw that were different: 1) no communications over TCP port 8080, and 2) the POST actually returned a status 200 and not the usual status 400. Outside of that, this was pretty much the same emotet that I have seen in the past. Nothing over how to walk through the script this time outside of a quick cleanup of the PoSH script. All the artifacts from this run can be found over at my Github here. Enjoy!

IOCs:
=====
129.232.180.26 / oliveexpretservices[.]co.za (GET /Invoice)
50.63.73.1 / eveningcalendar[.]com (GET /cCC7zIg)
37.187.57.57:443 / kenion[.]com.mx (POST /)
eveningcalendar[.]com (Not used in this sample)
cranexltd[.]com (Not used in this sample)
evenement-direct[.]fr (Not used in this sample)
chiocca[.]com (Not used in this sample)
nathandigesare[.]com (Not used in this sample)

Once the malicious binary is downloaded to the system and executed, we see the parent process creating a copy of itself and then creating the process of “wlanwin.exe” which then creates another process of “wlanwin.exe” (by this time all other parent processes have been closed out).

Persistence is maintained by using the usual “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” key as seen below.

While the callbacks are done over the usual non-encrypted port 443 as seen below.